When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.
Note:
The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE image related permissions, see TKE Image Registry Resource-level Permission Settings.
TKE_QCSRole
After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role's list of authorized policies. The preset policies associated with TKE_QCSRole by default include:
QcloudAccessForTKERoleInCreatingCFSStorageclass: The permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.
When you log in to the TKE console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the "Cloud Access Management" page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.
Authorization steps
1. Log in to the TKE console and click Cluster in the left sidebar to pop up the Service authorization window.
2. Click Go to Cloud Access Management to enter the Role management page.
This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various Ops-related features, including log features.
The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.
Authorization steps
1. Log in to the TKE console and click Cluster in the left sidebar.
2. On the "Cluster management" page, select the region and ID of the target cluster to go to the cluster details page.
3. Select Add-on management and click Create.
4. On the Add-on management page, if the add-on is selected as "CFS" for the first time, click Service Authorization at the bottom of the page.
5. In the "Service authorization" window that pops up, click Cloud Access Management.
6. On the "Role management" page, click Grant to complete authentication.
Permission content
File storage
Permission Name
Permission Description
cfs:CreateCfsFileSystem
Creating a file system
cfs:DescribeCfsFileSystems
Querying a file system
cfs:DescribeMountTargets
Querying mount targets of a file system
cfs:DeleteCfsFileSystem
Deletes a file system
Preset policy QcloudCVMFinanceAccess
Authorization steps
1. Log in to the CAM console, and select Roles in the left sidebar.
2. On the role list page, click TKE_QCSRole to enter the role management page.
3. Select Associate policy on the TKE_QCSRole page, and confirm the operation in the "Risk tips" pop-up window.
4. In the "Associate policy" window that pops up, find the policy QcloudCVMFinanceAccess and select it.
5. Click Confirm to complete the process.
Permission content
Permission Name
Permission Description
finance:*
CVM finance permission
IPAMDofTKE_QCSRole
IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:
When using the VPC-CNI network mode to create a cluster for the first time, you need to grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.
Authorization steps
1. Log in to the TKE console and click Cluster in the left sidebar.
2. On the "Cluster Management" page, click Create or Create with a template above the cluster list.
3. On the "Create cluster" page, select VPC-CNI for Container network add-on in "Cluster information" section, and click "Service Authorization".
4. In the displayed "Service authorization" window, click Go to Cloud Access Management.
5. On the "Role management" page, click Grant to complete authentication.
